Cia_p1_text_i_dec18_l.pdf

2019 Edition

CIA Preparatory Program

Part 1 Sections I & II Sample

Internal Audit Basics

Brian Hock, CIA, CMA and

Carl Burch, CIA, CMA with

Kevin Hock and Kekoa Kaluhiokalani

HOCK international, LLC P.O. Box 6553 Columbus, Ohio 43206 (866) 807-HOCK or (866) 807-4625 (281) 652-5768 www.hockinternational.com [email protected]

Published December 2018

Acknowledgements Acknowledgement is due to the Institute of Internal Auditors for permission to use copyrighted questions and problems from the Certified Internal Auditor Examinations by The Institute of Internal Auditors, Inc., 247 Maitland Avenue, Altamonte Springs, Florida 32701 USA. Reprinted with permission. The authors would also like to thank the Institute of Certified Management Accountants for permission to use questions and problems from past CMA Exams. The questions and unofficial answers are copyrighted by the Certified Institute of Management Accountants and have been used here with their permission. The authors also wish to thank the IT Governance Institute for permission to make use of concepts from the publication Control Objectives for Information and related Technology (COBIT) 3rd Edition, © 2000, IT Governance Institute, www.itgi.org. Reproduction without permission is not permitted.

© 2018 HOCK international, LLC No part of this work may be used, transmitted, reproduced or sold in any form or by any means without prior written permission from HOCK international, LLC. ISBN: 978-1-934494-16-5

Thanks The authors would like to thank the following people for their assistance in the production of this material: § § §

§

Lynn Roden, CMA for her assistance in the technical elements of the material, All of the staff of HOCK Training and HOCK international for their patience in the multiple revisions of the material, The students of HOCK Training in all of our classrooms and the students of HOCK international in our Distance Learning Program who have made suggestions, comments and recommendations for the material, Most importantly, to our families and spouses, for their patience in the long hours and travel that have gone into these materials.

Editorial Notes Throughout these materials, we have chosen particular language, spellings, structures and grammar in order to be consistent and comprehensible for all readers. HOCK study materials are used by candidates from countries throughout the world, and for many, English is a second language. We are aware that our choices may not always adhere to “formal” standards, but our efforts are focused on making the study process easy for all of our candidates. Nonetheless, we continue to welcome your meaningful corrections and ideas for creating better materials. This material is designed exclusively to assist people in their exam preparation. No information in the material should be construed as authoritative business, accounting or consulting advice. Appropriate professionals should be consulted for such advice and consulting.

CIA Part 1

Table of Contents

Table of Contents Exam Introduction ............................................................................................................. 1 Box Styles Used in This Book

1

Section I – Foundations of Internal Auditing .................................................................. 2 A. The Purpose, Authority, and Responsibility of the IAA B. The Internal Audit Charter C. Assurance and Consulting Services D. IIA Code of Ethics

9 9 12 14

Section II – Independence and Objectivity .................................................................... 17 A. Organizational Independence and Individual Objectivity B and C. Impairments to Independence or Objectivity D. Policies That Promote Objectivity

18 22 26

Appendix A: Glossary ..................................................................................................... 27 Appendix B: Model Internal Audit Activity Charter ...................................................... 30

© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.

i

CIA Part 1

Introduction

Exam Introduction The CIA Part 1 exam, Essentials of Internal Auditing, is 150 minutes (2 hours and 30 minutes) long and consists of 125 multiple-choice questions. The CIA Part 1 syllabus has six sections: •

Section I: Foundations of Internal Auditing (15%)

•

Section II: Independence and Objectivity (15%)

•

Section III: Proficiency and Due Professional Care (18%)

•

Section IV: Quality Assurance and Improvement Program (7%)

•

Section V: Governance, Risk Management, and Control (35%)

•

Section VI: Fraud Risks (10%)

Additionally, the IIA syllabus refers to proficient and basic cognitive levels: •

Proficient. Candidates must exhibit thorough understanding and ability to apply concepts, processes, or procedures; analyze, evaluate, and make judgments based on criteria; and/or put elements or material together to formulate conclusions and recommendations.

•

Basic. Candidates must retrieve relevant knowledge from memory and/or demonstrate basic comprehension of concepts or processes.

In preparing for the exam, candidates need to read the textbook and use the ExamSuccess software with questions from past exams. Many of the exam topics are very large; therefore, by studying past exam questions candidates can get a feeling for the manner and depth to which a topic is tested. As a word of caution, you might notice that the terminology used in this book may be different than what you are familiar with from your workplace. Because internal auditing is an internal activity, there are no established or standardized terms that apply in every organization. Keep in mind that the terms used in this book are the terms that appear on the exams, so you should become accustomed to them.

Box Styles Used in This Book The following box styles used throughout this book indicate material quoted from various IIA sources. Minor changes may have been made to the formatting, but no changes have been made to the content.

Content quoted from the IIA website appears in light grey boxes with an orange border.

1

Content quoted from the Standards or Implementation Guides appears in yellow boxes.

Content quoted from Practice Advisories or Implemention Guides appears in orange boxes.

Note: Quotes may not include the entire section or may include non-sequential sections.

1

The website is https://na.theiia.org/standards-guidance/Pages/Standards-and-Guidance-IPPF.aspx#mandatory.

© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.

1

Section I – Foundations of Internal Auditing

CIA Part 1

Section I – Foundations of Internal Auditing The best place to start preparing for CIA Part 1 is by understanding the guidance for internal auditors and a company’s internal audit activity (IAA). The IIA provides explanations and outlines of the different categories of guidance, so when it is appropriate, the IIA explanation and description of the various sources of guidance will be provided. The main source of guidance is the International Professional Practices Framework (IPPF). Within the IPPF there are the following sections: •

The Mission of Internal Audit

•

Mandatory Guidance

•

Recommend Guidance

As the names indicate, only mandatory guidance must be followed. Standards & Guidance — International Professional Practices Framework (IPPF)® The International Professional Practices Framework (IPPF) is the conceptual framework that organizes authoritative guidance promulgated by The Institute of Internal Auditors. A trustworthy, global, guidance-setting body, The IIA provides internal audit professionals worldwide with authoritative guidance organized in the IPPF as mandatory guidance and recommended guidance. Mandatory Guidance Conformance with the principles set forth in mandatory guidance is required and essential for the professional practice of internal auditing. Mandatory guidance is developed following an established due diligence process, which includes a period of public exposure for stakeholder input. The mandatory elements of the IPPF are: •

Core Principles for the Professional Practice of Internal Auditing

•

Definition of Internal Auditing

•

Code of Ethics

•

International Standards for the Professional Practice of Internal Auditing (Standards)

Recommended Guidance Recommended guidance is endorsed by The IIA through a formal approval process. It describes practices for effective implementation of The IIA’s Core Principles, Definition of Internal Auditing, Code of Ethics, and Standards. The recommended elements of the IPPF are:

2

•

Implementation Guidance — assist internal auditors in applying the Standards.

•

Supplemental Guidance (Practice Guides) — provide detailed processes and procedures for internal audit practitioners.

© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.

Section I

Section I – Foundations of Internal Auditing

This graphic from the IIA website provides a visual representation of the IPPF, the Mission, the Mandatory Guidance, and the Recommended Guidance.

When you are presented with a question, look first in the Mandatory Guidance for an answer. If there is no answer in the Mandatory Guidance, look in the Recommended Guidance.

The Mission of Internal Audit The mission describes the goals of the internal audit activity within the organization and encompasses all of the remaining elements of the IPPF. The Mission of Internal Audit articulates what internal audit aspires to accomplish within an organization. Its place in the New IPPF is deliberate, demonstrating how practitioners should leverage the entire framework to facilitate their ability to achieve the Mission. To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.

Exam Tip: Memorize the Mission of Internal Audit.

© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.

3

Section I – Foundations of Internal Auditing

CIA Part 1

Mandatory Guidance “Mandatory guidance” refers to standards and principles from the IIA that must be followed. “Mandatory” means that it is a requirement, not a suggestion. The four sources of mandatory guidance are: 1)

Core Principles for the Professional Practice of Internal Auditing

2)

Definition of Internal Auditing

3)

Code of Ethics

4)

International Standards for the Professional Practice of Internal Auditing (Standards)

The Core Principles, taken as a whole, articulate internal audit effectiveness. For an internal audit activity to be considered effective, all Principles should be present and operating effectively. How an internal auditor, as well as an internal audit activity, demonstrates achievement of the Core Principles may be quite different from organization to organization, but failure to achieve any of the Principles would imply that an internal audit activity was not as effective as it could be in achieving internal audit’s mission. The Definition of Internal Auditing states the fundamental purpose, nature, and scope of internal auditing. The definition is: Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. The Code of Ethics states the principles and expectations governing behavior of individuals and organizations in the conduct of internal auditing. It describes the minimum requirements for conduct and behavioral expectations rather than specific activities. The Standards are principle-focused and provide a framework for performing and promoting internal auditing. The Standards are mandatory requirements consisting of: •

Statements of basic requirements for the professional practice of internal auditing and for evaluating the effectiveness of its performance. The requirements are internationally applicable for organizations and individuals.

•

Interpretations, which clarify terms or concepts within the statements.

•

Glossary Terms.

It is necessary to consider both Statements and Interpretations to understand and apply the Standards correctly. The Standards employs terms that have been given specific meanings included in the Glossary.

Exam Tip: Memorize the Definition of Internal Auditing.

4

© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.

Section I – Foundations of Internal Auditing

Section I The Core Principles

There are ten Core Principles that provide guidance for the IAA: 1) Demonstrates integrity. 2) Demonstrates competence and due professional care. 3) Is objective and free from undue influence (independent). 4) Aligns with the strategies, objectives, and risks of the organization. 5) Is appropriately positioned and adequately resourced. 6) Demonstrates quality and continuous improvement. 7) Communicates effectively. 8) Provides risk-based assurance. 9) Is insightful, proactive, and future-focused. 10) Promotes organizational improvement.

Exam Tip: Memorize the ten core principles of internal auditing.

Introduction to the Standards The Standards provide a guide for the practice of internal auditing. Most of the Standards are tested on the CIA exam, but initially it is important just to understand the structure of the Standards. This text from the IIA is an excellent outline of the Standards and its objectives. Internal auditing is conducted in diverse legal and cultural environments; for organizations that vary in purpose, size, complexity, and structure; and by persons within or outside the organization. While differences may affect the practice of internal auditing in each environment, conformance with The IIA’s International Standards for the Professional Practice of Internal Auditing (Standards) is essential in meeting the responsibilities of internal auditors and the internal audit activity. The purpose of the Standards is to: 1. Guide adherence with the mandatory elements of the International Professional Practices Framework. 2. Provide a framework for performing and promoting a broad range of value-added internal auditing services. 3. Establish the basis for the evaluation of internal audit performance. 4. Foster improved organizational processes and operations. The Standards are principles-focused, mandatory requirements consisting of: •

Statements of core requirements for the professional practice of internal auditing and for evaluating the effectiveness of performance that are internationally applicable at organizational and individual levels.

•

Interpretations clarifying terms or concepts within the Standards.

The Standards, together with the Code of Ethics, encompass all mandatory elements of the International Professional Practices Framework; therefore, conformance with the Code of Ethics and the Standards demonstrates conformance with all mandatory elements of the International Professional Practices Framework. (continued) © 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.

5

Section I – Foundations of Internal Auditing

CIA Part 1

The Standards employ terms as defined specifically in the Glossary. To understand and apply the Standards correctly, it is necessary to consider the specific meanings from the Glossary. Furthermore, the Standards use the word “must” to specify an unconditional requirement and the word “should” where conformance is expected unless, when applying professional judgment, circumstances justify deviation. The Standards comprise two main categories: Attribute and Performance Standards. Attribute Standards address the attributes of organizations and individuals performing internal auditing. Performance Standards describe the nature of internal auditing and provide quality criteria against which the performance of these services can be measured. Attribute and Performance Standards apply to all internal audit services. Implementation Standards expand upon the Attribute and Performance Standards by providing the requirements applicable to assurance (.A) or consulting (.C) services. Assurance services involve the internal auditor’s objective assessment of evidence to provide opinions or conclusions regarding an entity, operation, function, process, system, or other subject matters. The nature and scope of an assurance engagement are determined by the internal auditor. Generally, three parties are participants in assurance services: (1) the person or group directly involved with the entity, operation, function, process, system, or other subject matter—the process owner, (2) the person or group making the assessment—the internal auditor, and (3) the person or group using the assessment— the user. Consulting services are advisory in nature and are generally performed at the specific request of an engagement client. The nature and scope of the consulting engagement are subject to agreement with the engagement client. Consulting services generally involve two parties: (1) the person or group offering the advice—the internal auditor, and (2) the person or group seeking and receiving the advice—the engagement client. When performing consulting services the internal auditor should maintain objectivity and not assume management responsibility. The Standards apply to individual internal auditors and the internal audit activity. All internal auditors are accountable for conforming with the standards related to individual objectivity, proficiency, and due professional care and the standards relevant to the performance of their job responsibilities. Chief audit executives are additionally accountable for the internal audit activity’s overall conformance with the Standards. If internal auditors or the internal audit activity is prohibited by law or regulation from conformance with certain parts of the Standards, conformance with all other parts of the Standards and appropriate disclosures are needed. If the Standards are used in conjunction with requirements issued by other authoritative bodies, internal audit communications may also cite the use of other requirements, as appropriate. In such a case, if the internal audit activity indicates conformance with the Standards and inconsistencies exist between the Standards and other requirements, internal auditors and the internal audit activity must conform with the Standards and may conform with the other requirements if such requirements are more restrictive. The review and development of the Standards is an ongoing process. The International Internal Audit Standards Board engages in extensive consultation and discussion before issuing the Standards. This includes worldwide solicitation for public comment through the exposure draft process. All exposure drafts are posted on The IIA’s website as well as being distributed to all IIA institutes.

Note: The IIA’s Standards Glossary is presented in Appendix A.

Note: Being familiar with the Standards is one of the best ways to prepare for the exam. The original text of the Standards is presented in the textbook where it is relevant.

6

© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.

Section I

Section I – Foundations of Internal Auditing

Types of Standards 1) Attribute Standards Attribute Standards (1000–1300) are concerned with the characteristics of the organization and the parties performing the auditing activities. The primary components of the Attribute Standards are: •

Purpose, Authority, and Responsibility (1000). The purpose, authority, and responsibility of the IAA should be formally defined in the internal audit charter, consistent with the Standards, and approved by the board.

•

Independence and Objectivity (1100). The IAA must be independent and the internal auditors must be objective in performing their work.

•

Proficiency and Due Professional Care (1200). The engagement must be performed with proficiency and due professional care.

•

Quality Assurance and Improvement Program (1300). The Chief Audit Executive (CAE, the head of the IAA) must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity and continuously monitors its effectiveness. This program includes periodic internal and external quality assessments and ongoing internal monitoring. Each part of the program must be designed to help the internal auditing activity add value and improve the organization’s operations. Furthermore, the program must provide assurance that the internal audit activity conforms to the Definition of Internal Auditing, the Standards, and the Code of Ethics.

2) Performance Standards Performance Standards (2000–2600) describe the internal audit activities and criteria against which the performance of these services can be evaluated. The primary components of the Performance Standards are: •

Managing the Internal Audit Activity (2000). The CAE must effectively manage the internal audit activity to ensure that it adds value to the organization.

•

Nature of Work (2100). The internal audit activity must evaluate and contribute to the improvement of risk management, control, and governance processes using a systematic and disciplined approach.

•

Engagement Planning (2200). Internal auditors must develop and record a plan for each engagement, including the scope, objectives, timing, and resource allocations.

•

Performing the Engagement (2300). Internal auditors must identify, analyze, evaluate, and record sufficient information to achieve the engagement’s objectives.

•

Communicating Results (2400). Internal auditors must communicate the engagement results.

•

Monitoring Progress (2500). The CAE must establish and maintain a system to monitor the disposition of results communicated to management.

•

Resolution of Management’s Acceptance of Risks (2600). When the CAE believes that senior management has accepted a level of residual risk that may be unacceptable to the organization, the CAE must discuss the matter with senior management. If the decision regarding residual risk is not resolved, the CAE and senior management must report the matter to the board for resolution.

© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.

7

Section I – Foundations of Internal Auditing

CIA Part 1

3) Implementation Standards Implementation Standards apply to the two specific types of engagements: assurance (.A) or consulting (.C). For example, Standard 1000 (Purpose, Authority, and Responsibility) consists of implementation standards 1000.A1 or 1000.C1, which are for assurance and consulting, respectively. 1)

2)

Assurance services involve the internal auditor’s objective assessment of evidence to provide an independent opinion or conclusions. The internal auditor determines the nature and scope of the assurance engagement. There are generally three parties involved in assurance services: •

The process owner, or the person or group directly involved with the process, system, or other subject matter.

•

The internal auditor, or the person or group making the assessment.

•

The user, or the person or group using the assessment.

Consulting services are advisory in nature and are generally performed at the specific request of an engagement client. The nature and scope of the consulting engagement are subject to agreement with the engagement client. Consulting services generally involve two parties: •

The internal auditor, or the person or group offering the advice.

•

The engagement client, or the person or group seeking and receiving the advice.

Note: The internal auditor should maintain objectivity and not assume management responsibility when performing consulting services.

Recommended Guidance 1) Implementation Guidance Implementation Guides assist internal auditors in applying the Standards. They collectively address internal auditing’s approach, methodologies, and consideration, but do not detail processes or procedures.

2) Supplemental Guidance Supplemental Guidance provides detailed guidance for conducting internal audit activities. These include topical areas, sector-specific issues, as well as processes and procedures, tools and techniques, programs, step-by-step approaches, and examples of deliverables.

Note: Previously, there was a category of recommended guidance called Practice Advisories (PAs). The PAs provided detailed guidance for the application of the Standards and were the best practices endorsed by the IIA for applying the Definition, Code of Ethics, and Standards. While the PAs are no longer included in the Recommended Guidance, they are included here where appropriate. The PAs tend to be longer and more detailed than the Implementation Guides and therefore make an excellent tool when preparing for the exam.

8

© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.

Section I

Section I – Foundations of Internal Auditing

A. The Purpose, Authority, and Responsibility of the IAA The purpose, authority, and responsibility of the internal audit activity is the foundation on which the IAA is built as it performs its work. The text of Standard 1000, as well as its Interpretations and Implementation Standards, are shown here: Standard 1000 – Purpose, Authority, and Responsibility The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Mission of Internal Audit and the mandatory elements of the International Professional Practices Framework (the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the Standards, and the Definition of Internal Auditing). The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for approval. Interpretation: The internal audit charter is a formal document that defines the internal audit activity’s purpose, authority, and responsibility. The internal audit charter establishes the internal audit activity’s position within the organization, including the nature of the chief audit executive’s functional reporting relationship with the board; authorizes access to records, personnel, and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities. Final approval of the internal audit charter resides with the board. Implementation Standards: 1000.A1 – The nature of assurance services provided to the organization must be defined in the internal audit charter. If assurances are to be provided to parties outside the organization, the nature of these assurances must also be defined in the internal audit charter. 1000.C1 – The nature of consulting services must be defined in the internal audit charter. The purpose, authority, and responsibility of the IAA need to be stated in the Internal Audit Charter, which is covered in detail next.

B. The Internal Audit Charter The internal audit charter (“the Charter”) provides the internal audit activity with a formal mandate to do its work. The Charter is: 1)

Written by the Chief Audit Executive (CAE).

2)

Approved by the senior management and the board or audit committee.

3)

Communicated to engagement clients.

4)

Reviewed periodically by the CAE to make certain it is still relevant and appropriate.

Note: The Model charter from the IIA is in Appendix B. We strongly recommend that you read through the entire Charter as you begin your studies and also as a final review before you take the exam. The Charter should: •

Establish the internal audit activity’s position within the organization, including the nature of the CAE’s functional reporting relationship with the board.

•

Authorize access to records, personnel, and physical properties relevant to the performance of engagements.

•

Define the scope of internal audit activities.

© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.

9

Section I – Foundations of Internal Auditing

CIA Part 1

Sections of the Charter There are seven sections in the Model Charter. 1)

Purpose and Mission. Includes both the Mission of Internal Auditing and the Definition of Internal Auditing. From the Charter: The purpose of Company X’s internal audit activity is to provide independent, objective assurance and consulting services designed to add value and improve Company X’s operations. The mission of internal audit is to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight. The internal audit activity helps Company X accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management, and control processes.

2)

Standards for the Professional Practice of Internal Auditing. Establishes that the IAA will follow all of the mandatory elements of the IPPF. Additionally, the CAE must report periodically to the board about the IAA’s conformance to the Standards and Code of Ethics. From the Charter: The internal audit activity will govern itself by adherence to the mandatory elements of The Institute of Internal Auditors' International Professional Practices Framework, including the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the International Standards for the Professional Practice of Internal Auditing, and the Definition of Internal Auditing. The chief audit executive will report periodically to senior management and the board regarding the internal audit activity’s conformance to the Code of Ethics and the Standards. This requirement to follow the Standards is also set out in Standard 1010: Standard 1010 – Recognizing Mandatory Guidance in the Internal Audit Charter Recognition of the Definition of Internal Auditing, the Code of Ethics, and the Standards in the Internal Audit Charter The mandatory nature of the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the Standards, and the Definition of Internal Auditing must be recognized in the internal audit charter. The chief audit executive should discuss the Mission of Internal Audit and the mandatory elements of the International Professional Practices Framework with senior management and the board.

3)

Authority. Establishes the dual reporting process for the IAA and: •

What the board will do to make certain that the IAA has sufficient authority to fulfil its duties.

•

What the board authorizes the IAA to do. This includes the board providing the IAA with full, free, and complete access to all functions, records, property, and personnel that is needed for the IAA to fulfill its duties.

The Charter should specify the dual reporting process for the IAA. From the Charter: The chief audit executive will report functionally to the board and administratively (i.e., day-to-day operations) to the chief executive officer.

10

© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.

Section I 4)

Section I – Foundations of Internal Auditing

Independence and Objectivity. Specifies that the IAA must have organizational independence and that internal auditors maintain objectivity. The first two paragraphs of this section are: From the Charter: The chief audit executive will ensure that the internal audit activity remains free from all conditions that threaten the ability of internal auditors to carry out their responsibilities in an unbiased manner, including matters of audit selection, scope, procedures, frequency, timing, and report content. If the chief audit executive determines that independence or objectivity may be impaired in fact or appearance, the details of impairment will be disclosed to appropriate parties. 
 Internal auditors will maintain an unbiased mental attitude that allows them to perform engagements objectively and in such a manner that they believe in their work product, that no quality compromises are made, and that they do not subordinate their judgment on audit matters to others. 


5)

Scope of Internal Audit Activities. The potential scope of work for the IAA is vast. The main type of engagement is assurance, but it is also possible that the IAA will perform consulting engagements. However, if the IAA performs consulting engagements, that authorization must be specifically stated in the Charter. From the Charter: The scope of internal audit activities encompasses, but is not limited to, objective examinations of evidence for the purpose of providing independent assessments to the board, management, and outside parties on the adequacy and effectiveness of governance, risk management, and control processes for Company X. The chief audit executive also coordinates activities, where possible, and considers relying upon the work of other internal and external assurance and consulting service providers as needed. The internal audit activity may perform advisory and related client service activities, the nature and scope of which will be agreed with the client, provided the internal audit activity does not assume management responsibility. Opportunities for improving the efficiency of governance, risk management, and control processes may be identified during engagements. These opportunities will be communicated to the appropriate level of management.

6)

Responsibility. Outlines the specific responsibilities of the CAE. From the Charter: The chief audit executive has the responsibility to: 
 Submit, at least annually, to senior management and the board a risk-based internal audit plan for review and approval. Communicate to senior management and the board the impact of resource limitations on the internal audit plan. 
 Review and adjust the internal audit plan, as necessary, in response to changes in Company X’s business, risks, operations, programs, systems, and controls. 
 Communicate to senior management and the board any significant interim changes to the internal audit plan. 
 Ensure each engagement of the internal audit plan is executed, including the establishment of objectives and scope, the assignment of appropriate and adequately supervised resources, the documentation of work programs and testing results, and the communication of engagement results with applicable conclusions and recommendations to appropriate parties. (continued)

© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.

11

Section I – Foundations of Internal Auditing

CIA Part 1

Follow up on engagement findings and corrective actions, and report periodically to senior management and the board any corrective actions not effectively implemented. 
 Ensure the principles of integrity, objectivity, confidentiality, and competency are applied and upheld. 
 Ensure the internal audit activity collectively possesses or obtains the knowledge, skills, and other competencies needed to meet the requirements of the internal audit charter. 
 Ensure trends and emerging issues that could impact Company X are considered and communicated to senior management and the board as appropriate. 
 Ensure emerging trends and successful practices in internal auditing are considered. 
 Establish and ensure adherence to policies and procedures designed to guide the 
internal audit activity. 
 Ensure adherence to Company X’s relevant policies and procedures, unless 
such policies and procedures conflict with the internal audit charter. Any such conflicts will be resolved or otherwise communicated to senior management and the board. 
 7)

Quality Assurance and Improvement Program: States that the IAA must perform engagements at the expected level of quality. The QAIP is one of the ways that the IAA assesses and ensures the proper level of quality and adherence to all of the Standards. From the Charter: The internal audit activity will maintain a quality assurance and improvement program that covers all aspects of the internal audit activity. The program will include an evaluation of the internal audit activity’s conformance with the Standards and an evaluation of whether internal auditors apply The IIA’s Code of Ethics. The program will also assess the efficiency and effectiveness of the internal audit activity and identify opportunities for improvement. The chief audit executive will communicate to senior management and the board on the internal audit activity’s quality assurance and improvement program, including results of internal assessments (both ongoing and periodic) and external assessments conducted at least once every five years by a qualified, independent assessor or assessment team from outside Company X.

C. Assurance and Consulting Services The two main categories of services that the internal audit activity may provide are assurance and consulting services. The Standards Glossary defines assurance services as: An objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization. Examples may include financial, performance, compliance, system security, and due diligence engagements. The Standards Glossary defines consulting services as: Advisory and related client services, the nature and scope of which are agreed upon with the client and which are intended to add value and improve an organization’s operations. Examples include counsel, advice, facilitation, process design and training. The Standards state that internal auditors can only perform consulting services specifically defined in the internal audit charter.

12

© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.

Section I

Section I – Foundations of Internal Auditing

Comparing Assurance and Consulting Engagements In an assurance engagement, the auditor provides an assessment and states an opinion about whether or not something within the company is operating or performing correctly. The auditor should be objective in the investigation and independent in the decision. Examples of assurance engagements include: •

Assessing if controls are properly designed and implemented.

•

Whether production standards are being met.

•

The accuracy of recorded of financial transactions.

In a consulting engagement, the auditor provides advice or makes a suggestion. The auditor does not need to be independent in a consulting engagement. Consulting engagements are often forwardlooking rather than an analysis of past events.

Types of Assurance Engagements Some of the more common categories of assurance engagements include: •

Risk and control assessments

•

Audits of third parties and contract compliance

•

Security and privacy audits

•

Performance and quality audits

•

Key performance indicator audits

•

Operational audits

•

Financial audits

•

Regulatory compliance audits

Types of Consulting Engagements The Charter must specifically state that the IAA may provide consulting services before any such engagements are started. Some of the more common categories of consulting engagements include: •

Training

•

System design

•

System development

•

Due diligence

•

Privacy

•

Benchmarking

•

Internal control assessments

•

Process mapping

Note: More specific and detailed information about the types of assurance and consulting engagements is covered in CIA Part 2.

© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.

13

Section I – Foundations of Internal Auditing

CIA Part 1

Standards for Consulting Engagements The Practice Advisories list twelve principles to guide internal auditors during consulting engagements. This Practice Advisory, formerly PA 1000.C1-1, is no longer current, but the principles it outlined can still serve as a useful guide for internal auditors. The following list is a condensed version of these twelve principles: •

Value is added by the IAA when it performs both assurance and consulting services. In fact, the IAA is in a strong position to provide consulting services because of its professional standards and its knowledge of the company and its operations.

•

Included in the internal audit charter is the provision that the IAA provide consulting and other appropriate services. Additionally, any rules or standards applicable to the consulting services must also be stated in the charter.

•

The IAA may also provide other services besides assurance and consulting, such as investigating fraud and conducting due diligence.

•

Consulting services do not impair the objectivity of either the internal auditor or the IAA. However, the auditor’s first duty is as an auditor, and so all actions need to be governed by the applicable internal audit guidelines and standards. Objectivity is not impaired as long as the internal auditor provides advice and does not take ownership of a specific process.

If an IAA is performing consulting engagements, it is imperative that the company’s internal auditors take extra precautions to determine that senior management and the board all understand and agree with the concept, operating guidelines, and communications required for performing consulting engagements. Independence and objectivity issues connected to both consulting and assurance engagements are covered in Section II.

D. IIA Code of Ethics The Code of Ethics is an ethical guide for internal auditors and does not provide specific guidance nor does it prescribe defined actions because an auditor faces many different types of ethical situations. The four principles in the Code are: 1)

Integrity. Auditors should behave in a way that reflects positively on the auditor and the profession.

2)

Objectivity. Auditors should make decisions based on facts and information and not on their personal preferences or feelings.

3)

Confidentiality. Auditors will learn many things that should be kept confidential. When in doubt, auditors should err on the side of not sharing information.

4)

Competency. Internal auditors should have the necessary skills, knowledge, and experience to perform their work.

We strongly recommend that you memorize the Code of Ethics so that you can identify key words that may be in a question or answer choice. The full text of the Code of Ethics follows.

14

© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.

Section I

Section I – Foundations of Internal Auditing

The Code of Ethics states the principles and expectations governing the behavior of individuals and organizations in the conduct of internal auditing. It describes the minimum requirements for conduct, [sic] and behavioral expectations rather than specific activities. Introduction to the Code of Ethics The purpose of The Institute’s Code of Ethics is to promote an ethical culture in the profession of internal auditing. Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. A code of ethics is necessary and appropriate for the profession of internal auditing, founded as it is on the trust placed in its objective assurance about governance, risk management, and control. The Institute’s Code of Ethics extends beyond the Definition of Internal Auditing to include two essential components: •

Principles that are relevant to the profession and practice of internal auditing.

•

Rules of Conduct that describe behavior norms expected of internal auditors. These rules are an aid to interpreting the Principles into practical applications and are intended to guide the ethical conduct of internal auditors.

“Internal auditors” refers to Institute members, recipients of or candidates for IIA professional certifications, and those who perform internal audit services within the Definition of Internal Auditing. Applicability and Enforcement of the Code of Ethics This Code of Ethics applies to both entities and individuals that perform internal audit services. For IIA members and recipients of or candidates for IIA professional certifications, breaches of the Code of Ethics will be evaluated and administered according to The Institute’s Bylaws and Administrative Directives. The fact that a particular conduct is not mentioned in the Rules of Conduct does not prevent it from being unacceptable or discreditable, and therefore, the member, certification holder, or candidate can be liable for disciplinary action. Principles Internal auditors are expected to apply and uphold the following principles: 1. Integrity The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment. 2. Objectivity Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments. 3. Confidentiality Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so. 4. Competency Internal auditors apply the knowledge, skills, and experience needed in the performance of internal auditing services. © 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.

15

Section I – Foundations of Internal Auditing

CIA Part 1

Rules of Conduct 1) Integrity Internal auditors: 1.1.

Shall perform their work with honesty, diligence, and responsibility.

1.2.

Shall observe the law and make disclosures expected by the law and the profession.

1.3. Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to the profession of internal auditing or to the organization. 1.4.

Shall respect and contribute to the legitimate and ethical objectives of the organization.

2) Objectivity Internal auditors: 2.1. Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those activities or relationships that may be in conflict with the interests of the organization. 2.2.

Shall not accept anything that may impair or be presumed to impair their professional judgment.

2.3. Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review. 3) Confidentiality Internal auditors: 3.1.

Shall be prudent in the use and protection of information acquired in the course of their duties.

3.2. Shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization. 4) Competency Internal auditors: 4.1. Shall engage only in those services for which they have the necessary knowledge, skills, and experience. 4.2. Shall perform internal auditing services in accordance with the International Standards for the Professional Practice of Internal Auditing. 4.3.

16

Shall continually improve their proficiency and the effectiveness and quality of their services.

© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.

Section II

Section II – Independence and Objectivity

Section II – Independence and Objectivity Independence and objectivity are defined in Standard 1100. Standard 1100 – Independence and Objectivity The internal audit activity must be independent, and internal auditors must be objective in performing their work. Interpretation: Independence is the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner. To achieve the degree of independence necessary to effectively carry out the responsibilities of the internal audit activity, the chief audit executive has direct and unrestricted access to senior management and the board. This can be achieved through a dual-reporting relationship. Threats to independence must be managed at the individual auditor, engagement, functional, and organizational levels. Objectivity is an unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others. Threats to objectivity must be managed at the individual auditor, engagement, functional, and organizational levels. The model Charter also includes a statement about independence and objectivity. From the Charter: The chief audit executive will ensure that the internal audit activity remains free from all conditions that threaten the ability of internal auditors to carry out their responsibilities in an unbiased manner, including matters of audit selection, scope, procedures, frequency, timing, and report content. If the chief audit executive determines that independence or objectivity may be impaired in fact or appearance, the details of impairment will be disclosed to appropriate parties. 
 Internal auditors will maintain an unbiased mental attitude that allows them to perform engagements objectively and in such a manner that they believe in their work product, that no quality compromises are made, and that they do not subordinate their judgment on audit matters to others. 
 Independence and objectivity are also addressed in four other Standards: 1)

Standard 1110 – Organizational Independence

2)

Standard 1112 – Chief Audit Executive Roles Beyond Internal Auditing

3)

Standard 1120 – Individual Objectivity

4)

Standard 1130 – Impairment to Independence or Objectivity

The discussion of independence and objectivity is broken down into the following areas: •

Organizational independence and the reporting lines of the IAA.

•

Impairments to the independence of the IAA or the objectivity of an individual auditor.

•

Policies that promote independence and objectivity.

© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.

17

Section II – Independence and Objectivity

CIA Part 1

A. Organizational Independence and Individual Objectivity Organizational independence is achieved largely through the status of the IAA and the authority that the board gives to it. If the IAA is perceived to be important and reports to the board of directors, they will be more independent because of the support they receive from the highest levels of the organization. If, on the other hand, they report only to the chief accountant and there is a perception within the organization that they do not add value to the organization (or are not respected by the board), the IAA will have less independence and their work will be less useful to the organization. Note: It is vital for the IAA to have the support of senior management and of the board so that it can work freely and without interference.

From the Charter: To establish, maintain, and assure that Company X’s internal audit activity has sufficient authority to fulfill its duties, the board will: •

Approve the internal audit activity’s charter.

•

Approve the risk-based internal audit plan.

•

Approve the internal audit activity’s budget and resource plan.

•

Receive communications from the chief audit executive on the internal audit activity’s performance relative to its plan and other matters.

•

Approve decisions regarding the appointment and removal of the chief audit executive.

•

Approve the remuneration of the chief audit executive.

•

Make appropriate inquiries of management and the chief audit executive to determine 
whether there is inappropriate scope or resource limitations.

The chief audit executive will have unrestricted access to, and communicate and interact directly with, the board, including in private meetings without management present. The board authorizes the internal audit activity to: •

Have full, free, and unrestricted access to all functions, records, property, and personnel pertinent to carrying out any engagement, subject to accountability for confidentiality and safeguarding of records and information.

•

Allocate resources, set frequencies, select subjects, determine scopes of work, apply techniques required to accomplish audit objectives, and issue reports. 


•

Obtain assistance from the necessary personnel of Company X, as well as other specialized services from within or outside Company X, in order to complete the engagement. 


18

© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.

Section II – Independence and Objectivity

Section II

Dual Reporting Lines for the Internal Audit Activity The ideal reporting situation is for the CAE to have two separate reporting structures: 1)

Functional Reporting is connected to the engagements and their results. Proper functional reporting is the source of independence and authority for the IAA. The CAE reports functionally to the board.

2)

Administrative Reporting is the reporting relationship within the organization’s management structure that facilitates the day-to-day operations of the IAA. The CAE reports administratively to upper management.

Note: When there is an audit committee, functional reporting will often be done to an audit committee, rather than to the board. This dual reporting structure is shown below. Because the CEO reports to the board, both the administrative and functional reporting lines end with the board of directors.

Audit Committee

Senior Management (CEO)

Internal Audit Activity (CAE)

© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.

Administrative Reporting

Functional Reporting

Board of Directors

19

Section II – Independence and Objectivity

CIA Part 1

Functional Reporting Standard 1110 addresses organizational independence and the interpretation provides a list of examples of functional reporting. Standard 1110 – Organizational Independence The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. The chief audit executive must confirm to the board, at least annually, the organizational independence of the internal audit activity. Interpretation: Organizational independence is effectively achieved when the chief audit executive reports functionally to the board. Examples of functional reporting to the board involve the board:

•

Approving the internal audit charter;

•

Approving the risk based internal audit plan;

•

Approving the internal audit budget and resource plan;

•

Receiving communications from the chief audit executive on the internal audit activity’s performance relative to its plan and other matters;

•

Approving decisions regarding the appointment and removal of the chief audit executive;

•

Approving the remuneration of the chief audit executive; and

•

Making appropriate inquiries of management and the chief audit executive to determine whether there are inappropriate scope or resource limitations.

1110.A1 – The internal audit activity must be free from interference in determining the scope of internal auditing, performing work, and communicating results. The chief audit executive must disclose such interference to the board and discuss the implications. Practice Advisory 1110-1 provides more guidance about the role of the CAE in promoting organizational independence. Practice Advisory 1110-1 1. Support from senior management and the board assists the internal audit activity in gaining the cooperation of engagement clients and performing their work free from interference. 2. The chief audit executive (CAE), reporting functionally to the board and administratively to the organization’s chief executive officer, facilitates organizational independence. At a minimum the CAE needs to report to an individual in the organization with sufficient authority to promote independence and to ensure broad audit coverage, adequate consideration of engagement communications, and appropriate action on engagement recommendations.

Administrative Reporting PA 1110-1 provides a list of what administrative reporting typically includes. 4. Administrative reporting is the reporting relationship within the organization’s management structure that facilitates the day-to-day operations of the internal audit activity. Administrative reporting typically includes:

•

Budgeting and management accounting.

•

Human resource administration, including personnel evaluations and compensation.

•

Internal communications and information flows.

•

Administration of the internal audit activity’s policies and procedures.

20

© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.

Section II

Section II – Independence and Objectivity

Individual Objectivity Being objective means that the auditor must make conclusions based on facts without being influenced by feelings, emotions, relationships, bribes, or any other outside influence. Individual objectivity is covered in Standard 1120. Standard 1120 – Individual Objectivity Internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest. Further guidance is found in the Practice Advisory. Practice Advisory 1120-1 1) Individual objectivity means the internal auditors perform engagements in such a manner that they have an honest belief in their work product and that no significant quality compromises are made. Internal auditors are not to be placed in situations that could impair their ability to make objective professional judgments.

Maintaining Independence and Objectivity Auditors should not be managers, not even temporary managers, in other departments and they should not make operational decisions in any part of the company. The Model Charter provides a list of activities that internal auditors should not do. From the Charter: Internal auditors will have no direct operational responsibility or authority over any of the activities audited. Accordingly, internal auditors will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that may impair their judgment, including: •

Assessing specific operations for which they had responsibility within the previous year. 


•

Performing any operational duties for Company X or its affiliates. 


•

Initiating or approving transactions external to the internal audit department. 


•

Directing the activities of any Company X employee not employed by the internal audit activity, except to the extent that such employees have been appropriately assigned to auditing teams or to otherwise assist internal auditors.

Internal auditors will: •

Disclose any impairment of independence or objectivity, in fact or appearance, to appropriate parties.

•

Exhibit professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. 


•

Make balanced assessments of all available and relevant facts and circumstances. 


•

Take necessary precautions to avoid being unduly influenced by their own interests or 
by others in forming judgments.


© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.

21

Section II – Independence and Objectivity

CIA Part 1

B and C. Impairments to Independence or Objectivity Standard 1130 requires the disclosure of any impairment to the independence or objectivity of an auditor or the IAA. Standard 1130 – Impairment to Independence or Objectivity If independence or objectivity is impaired in fact or appearance, the details of the impairment must be disclosed to appropriate parties. The nature of the disclosure will depend upon the impairment. An impairment is anything that might cause the auditor to be less than completely objective in an engagement. As listed in the Interpretation to Standard 1130, common impairments include: 1)

A personal conflict of interest.

2)

A scope limitation, including a restriction of access to records, personnel, or properties.

3)

Resource limitation, which includes funding limitations.

4)

Situations where the auditor is assessing operations for which they were previously responsible.

5)

Assurance engagements for functions over which the CAE has previously had responsibility.

6)

Consulting engagements in areas where assurance engagements are also performed.

If an auditor believes that independence or objectivity has been impaired, the auditor must disclose the nature of the impairment to the CAE or appropriate parties. If an impairment arises during an engagement, it must be reported immediately to the manager of the engagement so that the situation can be addressed or eliminated.

1) Conflicts of Interest Conflict of interest is defined in the Interpretation to Standard 1120. Standard 1120 – Interpretation Conflict of interest is a situation in which an internal auditor, who is in a position of trust, has a competing professional or personal interest. Such competing interests can make it difficult to fulfill his or her duties impartially. A conflict of interest exists even if no unethical or improper act results. A conflict of interest can create an appearance of impropriety that can undermine confidence in the internal auditor, the internal audit activity, and the profession. A conflict of interest could impair an individual’s ability to perform his or her duties and responsibilities objectively. An auditor with a conflict of interest in an assurance engagement should be removed. The auditor can be reassigned back to the engagement if the conflict is resolved. Any conflicts of interest in a consulting engagement should be disclosed to the client. If the client has no objections, then the auditor may remain on the consulting engagement.

22

© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.

Section II

Section II – Independence and Objectivity

2) Scope Limitations, Including Restriction of Access to Records, Personnel, or Property A scope limitation is a restriction on the engagement that prevents accomplishing the objectives and plans. Scope limitation are discussed in PA 1130-1. 2. A scope limitation is a restriction placed on the internal audit activity that precludes the activity from accomplishing its objectives and plans. Among other things, a scope limitation may restrict the: •

Scope defined in the internal audit charter. 


•

Internal audit activity’s access to records, personnel, and physical properties relevant to 
the performance of engagements. 


•

Approved engagement work schedule. 


•

Performance of necessary engagement procedures. 


•

Approved staffing plan and financial budget. 


3. A scope limitation, along with its potential effect, needs to be communicated, preferably in writing, to the board. The CAE needs to consider whether it is appropriate to inform the board regarding scope limitations that were previously communicated to and accepted by the board. This may be necessary particularly when there have been organization, board, senior management, or other changes. 


3) Resource Limitations Without sufficient resources and funding, the IAA may not be able to operate independently and objectively. For example, inadequate staffing, insufficient training, or outdated technology might invite compromises or shortcuts that would impair the IAA’s position in the organization.

4) Assessing Operations for Which Internal Auditors Were Previously Responsible Objectivity is assumed to be impaired if an auditor performs an assurance review of any activity over which he or she recently had responsibility. Individuals who are assigned to or transferred to the IAA should not audit areas where they worked until a reasonable period of time has elapsed, usually at least one year. If an individual is assigned to an engagement where he or she worked in the past year, objectivity is presumed be impaired and such facts should be clearly stated when communicating the results relating to the audited area. Note: Objectivity is also impaired when auditors are auditing an area for which they will have future responsibility within one year after the engagement.

5) CAE’s Previous Responsibility for Non-audit Functions It is possible that management could ask an internal auditor to assume responsibility for a part of operations that could be subject to periodic internal auditing assessments. Internal auditors should not accept such assignments, but it is possible that management may insist. If the IAA accepts responsibility and the operation is part of the audit plan, the CAE could minimize the impairment to objectivity by using a third party to complete the audit (for example, an external auditor or third-party contractor). In addition, the CAE should confirm that the individuals who have operational responsibility will not participate in any internal audits of the operation. Practice Advisory 1130.A2-1 Internal Audit’s Responsibility for Other (Non-audit) Functions provides guidance for such situations.

© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.

23

Section II – Independence and Objectivity

CIA Part 1

Practice Advisory 1130.A2-1: Internal Audit’s Responsibility for Other (Non-audit) Functions Primary Related Standard 1130.A2 – Assurance engagements for functions over which the chief audit executive has responsibility must be overseen by a party outside the internal audit activity. 1. Internal auditors are not to accept responsibility for non-audit functions or duties that are subject to periodic internal audit assessments. If they have this responsibility, then they are not functioning as internal auditors. 2. When the internal audit activity, chief audit executive (CAE), or individual internal auditor is responsible for, or management is considering assigning, an operational responsibility that the internal audit activity might audit, the internal auditor’s independence and objectivity may be impaired. At a minimum, the CAE needs to consider the following factors in assessing the impact on independence and objectivity:

•

Requirements of the Code of Ethics and the Standards.

•

Expectations of stakeholders that may include the shareholders, board of directors, management, legislative bodies, public entities, regulatory bodies, and public interest groups.

•

Allowances and/or restrictions contained in the internal audit charter.

•

Disclosures required by the Standards.

•

Audit coverage of the activities or responsibilities undertaken by the internal auditor.

•

Significance of the operational function to the organization (in terms of revenue, expenses, reputation, and influence).

•

Length or duration of the assignment and scope of responsibility.

•

Adequacy of separation of duties.

•

Whether there is any history or other evidence that the internal auditor’s objectivity may be at risk.

3. If the internal audit charter contains specific restrictions or limiting language regarding the assignment of non-audit functions to the internal auditor, then disclosure and discussion with management of such restrictions is necessary. If management insists on such an assignment, then disclosure and discussion of this matter with the board is necessary. If the internal audit charter is silent on this matter, the guidance noted in the points below are to be considered. All the points noted below are subordinate to the language of the internal audit charter. 4. When the internal audit activity accepts operational responsibilities and that operation is part of the internal audit plan, the CAE needs to:

•

Minimize the impairment to objectivity by using a contracted, third-party entity or external auditors to complete audits of those areas reporting to the CAE.

•

Confirm that individuals with operational responsibility for those areas reporting to the CAE do not participate in internal audits of the operation.

•

Ensure that internal auditors conducting the assurance engagement of those areas reporting to the CAE are supervised by, and report the results of the assessment, to senior management and the board.

•

Disclose the operational responsibilities of the internal auditor for the function, the significance of the operation to the organization (in terms of revenue, expenses, or other pertinent information), and the relationship of those who audited the function.

5. The auditor’s operational responsibilities need to be disclosed in the related audit report of those areas reporting to the CAE and in the internal auditor’s standard communication to the board. Results of the internal audit may also be discussed with management and/or other appropriate stakeholders. Impairment disclosure does not negate the requirement that assurance engagements for functions over which the CAE has responsibility need to be overseen by a party outside the internal audit activity. 24

© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.

Section II

Section II – Independence and Objectivity

6) Consulting Services Providing Assurance Service in Areas of Previous Consulting Engagements (1130.A3) Standard 1130.A3 – The internal audit activity may provide assurance services where it had previously performed consulting services, provided the nature of the consulting did not impair objectivity and provided individual objectivity is managed when assigning resources to the engagement.

Internal Audit Responsibility for Consulting Engagements (1130.C1 and C2) Internal auditors may provide consulting services to areas over which they had previous responsibility, but they must act independently and objectively. Any potential impairment to their independence or objectivity must be disclosed to the client before the engagement is accepted. Standard 1130.C1 – Internal auditors may provide consulting services relating to operations for which they had previous responsibilities. Standard 1130.C2 – If internal auditors have potential impairments to independence or objectivity relating to proposed consulting services, disclosure must be made to the engagement client prior to accepting the engagement.

Perceived Impairment of Objectivity Objectivity must exist in both fact and appearance, which means that internal auditors must avoid even the appearance of impairment. Accepting small promotional items such as pens, calendars, or other insignificant items is generally not considered to impair professional judgment. However, any gifts of larger value should be immediately reported to a supervisor. Note: An internal auditor can make recommendations to a department as part of a consulting engagement and still be objective in a future financial audit of that same department.

CAE Disclosure to the Board Connected to Independence and Objectivity The Charter sets out two responsibilities that the CAE has in reporting independence- and objectivity-related issues to the board: 1) The CAE will confirm at least annually to the board that the IAA is organizationally independent. The CAE will need to make certain that the IAA maintains its organizational independence at all times. 2) The CAE will disclose to the board any interference with the IAA determining the scope of work, performing the work, or communicating the results. From the Charter: The chief audit executive will confirm to the board, at 
least annually, the organizational independence of the internal audit activity. 
 The chief audit executive will disclose to the board any interference and related implications in determining the scope of internal auditing, performing work, and/or communicating results. 


© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.

25

Section II – Independence and Objectivity

CIA Part 1

D. Policies That Promote Objectivity There are a number of procedures that the CAE can follow in order to maintain objectivity within the IAA: •

Job assignments should minimize potential conflicts of interests. For example, an auditor should not audit an area where his or her spouse works.

•

Jobs should be periodically rotated so that relationships do not develop between the auditor and the auditee that might impair the auditor’s judgment.

•

A strong QAIP will help ensure that organizational independence and objectivity are part of the culture of the IAA.

PA 1120-1 provides a list of things that can be done to maintain and promote objectivity. 2) Individual objectivity involves the chief audit executive (CAE) organizing staff assignments that prevent potential and actual conflict of interest and bias, periodically obtaining information from the internal audit staff concerning potential conflict of interest and bias, and, when practicable, rotating internal audit staff assignments periodically. 3) Review of internal audit work results before the related engagement communications are released assists in providing reasonable assurance that the work was performed objectively.

26

© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.

Appendix A

Glossary

Appendix A: Glossary These terms and definitions come directly from the IIA. Add Value – The internal audit activity adds value to the organization (and its stakeholders) when it provides objective and relevant assurance, and contributes to the effectiveness and efficiency of governance, risk management, and control processes. Adequate Control – Present if management has planned and organized (designed) in a manner that provides reasonable assurance that the organization’s risks have been managed effectively and that the organization’s goals and objectives will be achieved efficiently and economically. Assurance Services – An objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization. Examples may include financial, performance, compliance, system security, and due diligence engagements. Board – The highest level of governing body charged with the responsibility to direct and/or oversee the activities and management of the organization. Typically, this includes an independent group of directors (e.g., a board of directors, a supervisory board, or a board of governors or trustees). If such a group does not exist, the “board” may refer to the head of the organization. “Board” may refer to an audit committee to which the governing body has delegated certain functions. Charter – The internal audit charter is a formal document that defines the internal audit activity’s purpose, authority, and responsibility. The internal audit charter establishes the internal audit activity’s position within the organization; authorizes access to records, personnel, and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities. Chief Audit Executive – Chief Audit Executive (CAE) describes a person in a senior position responsible for effectively managing the internal audit activity in accordance with the internal audit charter and the Definition of Internal Auditing, the Code of Ethics, and the Standards. The chief audit executive or others reporting to the chief audit executive will have appropriate professional certifications and qualifications. The specific job title of the chief audit executive may vary across organizations. Code of Ethics – The Code of Ethics of The Institute of Internal Auditors (IIA) are principles relevant to the profession and practice of internal auditing, and Rules of Conduct that describe behavior expected of internal auditors. The Code of Ethics applies to both parties and entities that provide internal audit services. The purpose of the Code of Ethics is to promote an ethical culture in the global profession of internal auditing. Compliance – Adherence to policies, plans, procedures, laws, regulations, contracts, or other requirements. Conflict of Interest – Any relationship that is, or appears to be, not in the best interest of the organization. A conflict of interest would prejudice an individual’s ability to perform his or her duties and responsibilities objectively. Consulting Services – Advisory and related client service activities, the nature and scope of which are agreed with the client, are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation, and training. Control – Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved. Control Environment – The attitude and actions of the board and management regarding the importance of control within the organization. The control environment provides the discipline and structure for the achievement of the primary objectives of the system of internal control. The control environment includes the following elements: © 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.

27

Glossary

CIA Part 1

•

Integrity and ethical values.

•

Management’s philosophy and operating style.

•

Organizational structure.

•

Assignment of authority and responsibility.

•

Human resource policies and practices.

•

Competence of personnel.

Control Processes – The policies, procedures (both manual and automated), and activities that are part of a control framework, designed and operated to ensure that risks are contained within the level that an organization is willing to accept. Engagement – A specific internal audit assignment, task, or review activity, such as an internal audit, control self-assessment review, fraud examination, or consultancy. An engagement may include multiple tasks or activities designed to accomplish a specific set of related objectives. Engagement Objectives – Broad statements developed by internal auditors that define intended engagement accomplishments. Engagement Opinion – The rating, conclusion, and/or other description of results of an individual internal audit engagement, relating to those aspects within the objectives and scope of the engagement. Engagement Work Program – A document that lists the procedures to be followed during an engagement, designed to achieve the engagement plan. External Service Provider – A person or firm outside of the organization that has special knowledge, skill, and experience in a particular discipline. Fraud – Any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage. Governance – The combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives. Impairment – Impairment to organizational independence and individual objectivity may include personal conflict of interest, scope limitations, restrictions on access to records, personnel, and properties, and resource limitations (funding). Independence – The freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner. Information Technology Controls – Controls that support business management and governance as well as provide general and technical controls over information technology infrastructures such as applications, information, infrastructure, and people. Information Technology Governance – Consists of the leadership, organizational structures, and processes that ensure that the enterprise’s information technology supports the organization’s strategies and objectives. Internal Audit Activity – A department, division, team of consultants, or other practitioner(s) that provides independent, objective assurance and consulting services designed to add value and improve an organization’s operations. The internal audit activity helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management and control processes.

28

© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.

Appendix A

Glossary

International Professional Practices Framework – The conceptual framework that organizes the authoritative guidance promulgated by The IIA. Authoritative Guidance is comprised of two categories - (1) mandatory and (2) recommended. Must – The Standards use the word “must” to specify an unconditional requirement. Objectivity – An unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others. Overall Opinion – The rating, conclusion, and/or other description of results provided by the chief audit executive addressing, at a broad level, governance, risk management, and/or control processes of the organization. An overall opinion is the professional judgment of the chief audit executive based on the results of a number of individual engagements and other activities for a specific time interval. Risk – The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood. Risk Appetite – The level of risk that an organization is willing to accept. Risk Management – A process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization’s objectives. Should – The Standards use the word “should” where conformance is expected unless, when applying professional judgment, circumstances justify deviation. Significance – The relative importance of a matter within the context in which it is being considered, including quantitative and qualitative factors, such as magnitude, nature, effect, relevance, and impact. Professional judgment assists internal auditors when evaluating the significance of matters within the context of the relevant objectives. Standard – A professional pronouncement promulgated by the Internal Audit Standards Board that delineates the requirements for performing a broad range of internal audit activities, and for evaluating internal audit performance. Technology-based Audit Techniques – Any automated audit tool, such as generalized audit software, test data generators, computerized audit programs, specialized audit utilities, and computer-assisted audit techniques (CAATs).

© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.

29

Model Internal Audit Activity Charter

CIA Part 1

Appendix B: Model Internal Audit Activity Charter The following model charter has been prepared and published by the IIA. The Model is presented as published, except that in the Model the IIA presents options of language for a handful of terms. The choices used for the model presented here are: •

“Name of organization” – Company X

•

Internal audit department/activity – internal audit activity

•

Board/audit committee/supervisory committee - Board

Purpose and Mission The purpose of Company X’s internal audit activity is to provide independent, objective assurance and consulting services designed to add value and improve Company X’s operations. The mission of internal audit is to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight. The internal audit activity helps Company X accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management, and control processes.

Standards for the Professional Practice of Internal Auditing The internal audit activity will govern itself by adherence to the mandatory elements of The Institute of Internal Auditors' International Professional Practices Framework, including the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the International Standards for the Professional Practice of Internal Auditing, and the Definition of Internal Auditing. The chief audit executive will report periodically to senior management and the board regarding the internal audit activity’s conformance to the Code of Ethics and the Standards.

Authority The chief audit executive will report functionally to the board and administratively (i.e., day-to-day operations) to the chief executive officer. To establish, maintain, and assure that Company X’s internal audit activity has sufficient authority to fulfill its duties, the board will: •

Approve the internal audit activity’s charter. 


•

Approve the risk-based internal audit plan. 


•

Approve the internal audit activity’s budget and resource plan. 


•

Receive communications from the chief audit executive on the internal audit activity’s performance relative to its plan and other matters. 


•

Approve decisions regarding the appointment and removal of the chief audit executive. 


•

Approve the remuneration of the chief audit executive. 


•

Make appropriate inquiries of management and the chief audit executive to determine 
whether there is inappropriate scope or resource limitations. 


The chief audit executive will have unrestricted access to, and communicate and interact directly with, the board, including in private meetings without management present.

30

© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.

Appendix B

Model Internal Audit Activity Charter

The board authorizes the internal audit activity to: •

Have full, free, and unrestricted access to all functions, records, property, and personnel pertinent to carrying out any engagement, subject to accountability for confidentiality and safeguarding of records and information.

•

Allocate resources, set frequencies, select subjects, determine scopes of work, apply techniques required to accomplish audit objectives, and issue reports. 


•

Obtain assistance from the necessary personnel of Company X, as well as other specialized services from within or outside Company X, in order to complete the engagement. 


Independence and Objectivity 
 The chief audit executive will ensure that the internal audit activity remains free from all conditions that threaten the ability of internal auditors to carry out their responsibilities in an unbiased manner, including matters of audit selection, scope, procedures, frequency, timing, and report content. If the chief audit executive determines that independence or objectivity may be impaired in fact or appearance, the details of impairment will be disclosed to appropriate parties. 
 Internal auditors will maintain an unbiased mental attitude that allows them to perform engagements objectively and in such a manner that they believe in their work product, that no quality compromises are made, and that they do not subordinate their judgment on audit matters to others. 
 Internal auditors will have no direct operational responsibility or authority over any of the activities audited. Accordingly, internal auditors will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that may impair their judgment, including: •

Assessing specific operations for which they had responsibility within the previous year. 


•

Performing any operational duties for Company X or its affiliates. 


•

Initiating or approving transactions external to the internal audit department. 


•

Directing the activities of any Company X employee not employed by the internal audit activity, except to the extent that such employees have been appropriately assigned to auditing teams or to otherwise assist internal auditors.

Where the chief audit executive has or is expected to have roles and/or responsibilities that fall outside of internal auditing, safeguards will be established to limit impairments to independence or objectivity. Internal auditors will: •

Disclose any impairment of independence or objectivity, in fact or appearance, to appropriate parties. 


•

Exhibit professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. 


•

Make balanced assessments of all available and relevant facts and circumstances. 


•

Take necessary precautions to avoid being unduly influenced by their own interests or 
by others in forming judgments.


The chief audit executive will confirm to the board, at 
least annually, the organizational independence of the internal audit activity. 
 The chief audit executive will disclose to the board any interference and related implications in determining the scope of internal auditing, performing work, and/or communicating results. 


© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.

31

Model Internal Audit Activity Charter

CIA Part 1

Scope of Internal Audit Activities 
 The scope of internal audit activities encompasses, but is not limited to, objective examinations of evidence for the purpose of providing independent assessments to the board, management, and outside parties on the adequacy and effectiveness of governance, risk management, and control processes for Company X. Internal audit assessments include evaluating whether: 
 •

Risks relating to the achievement of Company X’s strategic objectives are appropriately identified and managed. 


•

The actions of Company X’s officers, directors, employees, and contractors are in compliance with Company X’s policies, procedures, and applicable laws, regulations, and governance standards. 


•

The results of operations or programs are consistent with established goals and objectives. 


•

Operations or programs are being carried out effectively and efficiently. 


•

Established processes and systems enable compliance with the policies, procedures, 
laws, and regulations that could significantly impact Company X. 


•

Information and the means used to identify, measure, analyze, classify, and report 
such information are reliable and have integrity. 


•

Resources and assets are acquired economically, used efficiently, and protected 
adequately.


The chief audit executive will report periodically to senior management and the board regarding: •

The internal audit activity’s purpose, authority, and responsibility. 


•

The internal audit activity’s plan and performance relative to its plan. 


•

The internal audit activity’s conformance with The IIA’s Code of Ethics 
and Standards, and action plans to address any significant conformance issues. 


•

Significant risk exposures and control issues, including fraud risks, governance issues, 
and other matters requiring the attention of, or requested by, the board. 


•

Results of audit engagements or other activities. 


•

Resource requirements. 


•

Any response to risk by management that may be unacceptable to Company X. 


The chief audit executive also coordinates activities, where possible, and considers relying upon the work of other internal and external assurance and consulting service providers as needed. The internal audit activity may perform advisory and related client service activities, the nature and scope of which will be agreed with the client, provided the internal audit activity does not assume management responsibility. 
 Opportunities for improving the efficiency of governance, risk management, and control processes may be identified during engagements. These opportunities will be communicated to the appropriate level of management. 


Responsibility The chief audit executive has the responsibility to: 


32

•

Submit, at least annually, to senior management and the board a risk-based internal audit plan for review and approval.

•

Communicate to senior management and the board the impact of resource limitations on the internal audit plan. 


•

Review and adjust the internal audit plan, as necessary, in response to changes in Company X’s business, risks, operations, programs, systems, and controls. 


© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.

Appendix B

Model Internal Audit Activity Charter

•

Communicate to senior management and the board any significant interim changes to the internal audit plan. 


•

Ensure each engagement of the internal audit plan is executed, including the establishment of objectives and scope, the assignment of appropriate and adequately supervised resources, the documentation of work programs and testing results, and the communication of engagement results with applicable conclusions and recommendations to appropriate parties. 


•

Follow up on engagement findings and corrective actions, and report periodically to senior management and the board any corrective actions not effectively implemented. 


•

Ensure the principles of integrity, objectivity, confidentiality, and competency are applied and upheld. 


•

Ensure the internal audit activity collectively possesses or obtains the knowledge, skills, and other competencies needed to meet the requirements of the internal audit charter. 


•

Ensure trends and emerging issues that could impact Company X are considered and communicated to senior management and the board as appropriate. 


•

Ensure emerging trends and successful practices in internal auditing are considered. 


•

Establish and ensure adherence to policies and procedures designed to guide the 
internal audit activity. 


•

Ensure adherence to Company X’s relevant policies and procedures, unless 
such policies and procedures conflict with the internal audit charter. Any such conflicts will be resolved or otherwise communicated to senior management and the board. 


•

Ensure conformance of the internal audit activity with the Standards, with the following qualifications: 
 o If the internal audit activity is prohibited by law or regulation from conformance with certain parts of the Standards, the chief audit executive will ensure appropriate disclosures and will ensure conformance with all other parts of the Standards. 
 o If the Standards are used in conjunction with requirements issued by other authoritative bodies, the chief audit executive will ensure that the internal audit activity conforms with the Standards, even if the internal audit activity also conforms with the more restrictive requirements of other authoritative bodies. 


Quality Assurance and Improvement Program The internal audit activity will maintain a quality assurance and improvement program that covers all aspects of the internal audit activity. The program will include an evaluation of the internal audit activity’s conformance with the Standards and an evaluation of whether internal auditors apply The IIA’s Code of Ethics. The program will also assess the efficiency and effectiveness of the internal audit activity and identify opportunities for improvement. The chief audit executive will communicate to senior management and the board on the internal audit activity’s quality assurance and improvement program, including results of internal assessments (both ongoing and periodic) and external assessments conducted at least once every five years by a qualified, independent assessor or assessment team from outside Company X.

© 2018 HOCK international, LLC. For personal use only by original purchaser. Resale prohibited.

33